Cyber Risk News
Swift detection of a malicious insider that used stolen credentials to gain unauthorized access to Australia’s Early Warning Network (EWN) allowed EWN staff to shut down systems and limit the number of messages the hacker was able to disperse, according to a 7 January 2019 update on the company’s website.
The anomalous activity of the hacker who had illegally accessed the EWN alert system was detected around 9:30 EDT on 5 January 2019. While news of companies being hacked becomes more commonplace, the ability to swiftly detect and respond to malicious insiders continues to be critical to an organization’s overall security strategy.
After gaining access to the alert system – which is designed to alert users to weather emergencies – the attacker was able to send what the company describes as “nuisance” messages by way of email, text messages and phone calls to landlines, then to part of EWN’s database.
Included in the message was a link to opt out of future messages, and those who received the fraudulent alert are advised to not click on the links and delete the message.
“EWN staff at the time were able to quickly identify the attack and shut off the system limiting the number of messages sent out. Unfortunately, a small proportion of our database received this alert. Our systems are back up and running providing ongoing alerts for severe weather and natural hazard events. Investigations are continuing with police involvement,” the website said.
“The unauthorized alert sent on Saturday night was undertaken by an unauthorized person using illicitly gained credentials to log in and post a nuisance spam-notification to some of our customers. The links used in this alert were non-harmful and your personal information was not compromised in this event. Investigations are continuing with the police and Australian Cyber Security Centre involved.”
Infosecurity Magazine contacted EWN, but the company has not responded. According to the Australian Broadcasting Corporation (ABC), EWN's managing director, Kerry Plowright, said the breach was the result of compromised login details believed to have come from within Australia. No personal data has been compromised, as the system reportedly holds only "white pages" and no personal information.
Citing annoyance at government officials as his motive, a 20-year-old man has confessed to be the hacker responsible for releasing private information on hundreds of politicians in Germany, according to Reuters.
The news comes one day after investigators at the Federal Criminal Police Office (BKA) in Wiesbaden, Germany, reportedly searched the home of a 19-year-old man believed to have been connected with the suspected hacker who admitted he exposed the personal data of several German politicians.
On the evening of 6 January 2019, the BKA searched the suspect’s home in Central Hesse as part of its investigation on the suspicion of spying and the unauthorized disclosure of personal data of politicians, journalists and public figures, according to a BKA statement. The suspect was provisionally arrested but released due to a lack of evidence.
Infosecurity Magazine contacted the BKA to clarify whether the suspect is currently under arrest and being detained, and this article will be updated with any further details.
“During the interrogation, the defendant stated that he had acted alone in the data spying and unauthorized data releases. The investigations have so far revealed no evidence of third-party participation. To his motivation, the defendant stated that he acted out of annoyance over public statements made by the politicians, journalists and public figures concerned,” the statement said.
Through its preliminary investigation, the BKA learned that the suspect reportedly used a hijacked Twitter account and accessed his internet connections through a VPN service for anonymization. Investigators seized the suspects computers and data carriers, which are being fully evaluated.
“According to the accused, a computer that he had set aside two days before the search and a data backup from a share-hosting service could be found and secured,” the statement said.
Security researchers have warned users of P2P sites of a new malvertising campaign featuring a twin threat: info-stealing malware and ransomware.
By registering rogue advertising domains, the attackers are able to direct torrent site visitors to two different exploit kits: Fallout EK and GrandSoft EK, according to Malwarebytes.
Those unlucky enough to be pushed according to geolocation to the Fallout EK will then encounter Vidar, an info-stealer available on the cybercrime underground for $700, according to the vendor’s security researcher, Jérôme Segura.
The malware will take system and victim details from the machine including specs, running processes, IP address and ISP, as well as more sensitive personal and financial info.
“Vidar customers can customize the stealer via profiles, which gives them a way to adjust which kind of data they are interested in,” said Segura. “Beyond the usual credit card numbers and other passwords stored in applications, Vidar can also scrape an impressive selection of digital wallets.”
Vidar also serves as a loader for second-stage malware to improve the attackers’ chances of monetizing their raid, in this case GandCrab 5.04 ransomware.
“Threat actors can use ransomware for a variety of reasons within their playbook. It could be, for instance, a simple decoy where the real goal is to irreversibly corrupt systems without any way to recover lost data. But as we see here, it can be coupled with other threats and used as a last payload when other resources have already been exhausted,” explained Segura.
“As a result, victims get a double whammy. Not only are they robbed of their financial and personal information, but they are also being extorted to recover the now encrypted data.”
Although many reports suggest that attackers are increasingly turning their attention away from ransomware and towards cryptomining malware, ransomware will continue to be a top threat for firms for several years to come, according to Europol.
A leading cryptocurrency exchange has been forced to halt trading of Ethereum Classic (ETC) after spotting double spend attacks amounting to over $1m.
San Francisco-based Coinbase first detected the suspicious activity on January 5, noting a “deep chain reorganization of the Ethereum Classic blockchain that included a double spend.”
This was followed by another 12 double spends, totalling 219,500 ETC ($1.1m).
However, soon after spotting the first reorg, the exchange halted send/receive activity in the blockchain to protect customer funds.
Double spend or “51%” attacks are made possible when an entity manages to gain control of more than 50% of a blockchain’s hashrate, meaning they can reverse any transactions they make to respend their cryptocurrency funds.
The bigger picture problem is that by gaining majority control of the network, the attacker can raise questions about its integrity. That seems to have been borne out by the sharp drop in the value of ETC over the past 24 hours, although it is now starting to climb again.
ETC buy and sell activity is not affected by the shutdown, but at the time of writing sends and receives remained disabled by Coinbase while it monitored the situation.
“The Coinbase team is currently evaluating the safety of re-enabling sends and receives of Ethereum Classic and will communicate to our customers what to expect regarding support for ETC,” it said.
Double spend attacks are relatively common in the cryptocurrency space. In September last year exchange Bittrex was forced to delist Bitcoin Gold (BTG) currency after the latter refused to pay $250,000 in losses resulting from a 51% attack which may have stolen as much as $18m.
A researcher last year revealed that hackers could launch a double spend attack on a $2bn network like ETC for as little as $1.5m investment, potentially netting over $1bn in profit.
The value of contactless card fraud has almost doubled in the UK over the past year, although still remains a tiny fraction of overall card losses, according to Action Fraud.
The national fraud reporting service claimed that there were 2739 reports of contactless fraud in the first 10 months of the year, costing victims nearly £1.2m. That’s up from 1440 cases with a value of £711,000 in the same period in 2017.
Losses ranged on average from £90 all the way up to £625. The largest single amount stolen was £400,000 — which would require a large number of tap-and-go payments on the part of the fraudster, as there’s a £30 maximum limit on each transaction.
Although there have been widely reported concerns about the possibility of fraudsters using fake readers to extract data from contactless cards, the reality is different, according to UK Finance.
The banking lobby group claimed last year that “no contactless fraud has been recorded on cards still in the possession of the original owner.”
Instead, it’s believed that most fraud via this channel happens when cards are stolen from the victim.
Whereas in the past reports have suggested criminals had a long window of opportunity before cards were finally cancelled, that too has changed, according to UK Finance.
“Technical changes have since been introduced, resulting in the majority of contactless transactions going online, meaning the transaction is authorized directly with the card issuer and an attempted purchase with a cancelled card would be declined,” it said.
It’s also true that contactless fraud remains low relative to overall card spend and total fraud levels.
UK Finance’s fraud round-up for the first half of 2018 claimed that contactless fraud represented just 3% of overall card fraud during the period.
“Fraud on contactless cards and devices remains low with £8.4m of losses during the first half of 2018, compared to spending of £31.9bn over the same period,” it revealed. “This is equivalent to 2.5p in every £100 spent using contactless technology, the same as it was in the first half of 2017.”
The Advanced Cyber Security Center (ACSC) has published its first annual report, “Leveraging Board Governance for Cybersecurity, the CISO / CIO Perspective,” the results of which highlight the need for boards to be active governance partners in collaborative cyber defense.
Recognizing the shared value of collaboration across organizational functions and between and among organizations when talking about cyber defense, the ACSC report calls upon boards to adopt a holistic and dynamic understanding of their organization’s cybersecurity responsibilities. In addition, boards are encouraged to maintain continuous direct access to CISOs and risk officers as well as with CIOs and other executives.
The report found, “For the most part, boards are not in a position to provide strategic guidance on cyber risk,” said Michael Figueroa, executive director of the ACSC in a press release. “In particular, the ACSC report has identified a need for a risk standard, much like those frameworks that financial and audit risk functions have refined over decades, that would help guide decision making and operations as they relate to cyber risk management.”
As part of the study, 20 ACSC member CISOs and CIOs from a wide range of organizations across multiple sectors worked in conjunction with four outside experts. Collectively, the focus group shared perspectives which revealed common themes and perceptions about board engagement as it relates to board-management relationship.
"“I can’t help but agree with the observations, in that all but the smallest organizations should have the CISO role defined as the go-to person for security," said Mukul Kumar, chief information security officer and VP of cyber practice at Cavirin.
"He or she manages up to others in the C-suite and the board, and ties together strategy across DevOps, SecOps, risk and compliance. The best example of a failure to clearly establish roles, responsibilities and lines of reporting is clearly outlined in the House committee report on the Equifax breach.”
According to the report findings, the board-management relationships are only in the nascent or maturing stages, which indicates that in most cases the boards are not effectively guiding management in making strategic risk-based decisions.
In addition, most boards are bereft of individuals with any real cyber expertise. The report recommended that they should make efforts to recruit members who can augment the board’s ability to build strategic partnerships that provide guidance specifically related to cyber risk.
“Boards should prioritize and support senior management’s development of a new generation of outcome-based cyber risk management frameworks, and in the meantime, executives should use only a few operational metrics with boards,” the report stated.
Singapore Airlines (SIA) has revealed that a software bug exposed the personal data of 285 customers, including seven with passport details, after a change was instituted on their website over the weekend. A software glitch reportedly caused a data breach of its frequent flyer program, compromising personal information that includes passport and flight details of its members.
According to SIA, who spoke to Channel NewsAsia, the incident occurred between 2:00am and 12:15pm on Friday. "We have been made aware of a number of cases in which a customer logged in to his or her KrisFlyer account, under certain specific conditions, may have been able to see selective details of another customer.”
The incident reportedly came to light after a KrisFlyer member did just that. In a Facebook post, Tricia Leo wrote that she was able to see someone else’s information when she logged in to her own account.
Software bugs can often lead to these types of breaches of end users' data, and according to Matt Rose, global director of application security strategy, Checkmarx, these nearly daily occurrences are the result of increased complexities in modern web application and software design.
“Most security programs don’t take a holistic approach to managing all the points of software exposure,” Rose said. “In the case of Singapore Airlines, poor software security testing practices on a software update has led to the privacy invasion of nearly 300 customers, exposing extremely sensitive information like passport numbers. Unfortunately, this isn't the first we've heard of an airline breach and it won't be the last, which is why software must become a priority in the security program of airline companies worldwide."
However, there are ways to mitigate the damage from exposed data that result from software glitches and data breaches. “Institute new technologies that include passive biometrics and behavioral analytics," said Ryan Wilk, VP of customer success for NuData Security, a Mastercard company.
“Leveraging these technologies will allow companies to correctly identify customers by their behavior online rather than by credentials that have been stolen. It is an approach that allows companies to continue rewarding customers while cutting stolen credentials out of the equation even if a breach of personal data occurs.”
A WhatsApp hoax message has reportedly resurfaced, raising concern among users who have received what appear to be different versions of fake chain messages that have been actually circulating for a few years.
Scammers are leveraging the current state of cybersecurity – in which end users are constantly reminded to keep their software updated – with the return of a hoax message promoting a premier WhatsApp service. The message tells users to download a fake update called WhatsApp Gold, according to the Evening Standard.
However, WhatsApp Plus and WhatsApp Gold are not applications developed by WhatsApp. Chain messages related to both of these fraudulent apps as well as the Martinelli virus scam have reportedly been around since 2016 and were deemed hoaxes in 2017. Threats of the malware’s return have resurfaced since the ringing in of 2019. A fraudulent message, the hoax promises users access to enhanced features in WhatsApp if they download the latest "secret" update. However, when users click on the link, they are potentially downloading a malicious software nicknamed WhatsApp Gold, according to Snopes.
Twitter is abuzz with tweets warning users to beware of the fraudulent message. According to Hackers Interview, “This is a malware which could hack into your framework and even degenerate your information. You are instructed to stay away regarding such updates. There is a high likelihood that you will get the message since it has just been circled on a huge scale and it convincingly influences individuals to trust that this is a new version with new highlights.”
The WhatsApp Gold hoax reportedly first circulated by way of a chain message in which users were warned about a forthcoming video containing malware. Snopes reported: “In May 2016, several users of the messaging service WhatsApp reported that they had received an offer to download something called 'WhatsApp Gold.' While the messages varied, they all claimed that users who downloaded the new 'premium service' would get access to extra features, such as video calling and new emojis.”
Three-fifths (60%) of US organizations have experienced security incidents related to their use of containers over the past year, according to new research from Tripwire.
The vendor polled over 300 IT security professionals who manage these environments at firms of over 100 employees to better understand the challenges associated with deployment of the lightweight software packages.
The figure for security incidents jumps to 75% for respondents with more than 100 containers in production.
Worryingly, the report also found that of the vast majority (86%) of respondents with containers currently in production, 47% had deployed images containing known vulnerabilities, while a similar number (46%) didn’t know if the containers were affected by flaws or not.
Most (98%) said they need additional security capabilities to help them. Areas where security concerns are greatest include a lack of in-house expertise, limited visibility into the status of deployments and an inability to assess risk prior to deployment, the poll found.
Popularized by vendors like Docker, containers are increasingly favored by developers as they provide a more portable, efficient alternative to virtual machines. They are particularly good at ensuring software works across hybrid cloud environments.
However, organizations are being held back by security concerns: 42% of respondents to the Tripwire research claimed they had delayed or limited adoption due to cyber risk.
The firm’s vice president of product management and strategy, Tim Erlin, claimed the findings were “concerning, but not surprising.”
“With the increased growth and adoption of containers, organizations are feeling the pressure to speed their deployment,” he added. “To keep up with the demand, teams are accepting risks by not securing containers. Based on what this study found, we can see that the result is a majority of organizations experiencing container security incidents.”
Just last month, a critical vulnerability was found in popular container orchestration platform Kubernetes which could allow hackers to remotely control targeted systems.
New research from ESET has revealed that 60% of UK consumers are leaving themselves vulnerable to New Year’s resolution online scams.
ESET surveyed 2000 people about their New Year’s resolution plans for 2019, with the top results being to lose weight/get fitter (64%), live a healthier lifestyle (50%) and save money (48%). However, the findings also showed that almost one in three (27%) consumers feel pressured by brands to go for quick fixes to help them achieve their goals with things like ‘today only’ deals.
Respondents revealed that they would be willing to download new apps (29%), enter online competitions (28%) or click through to deals they received via email (16%) to achieve resolution success, yet only four in 10 (39%) were certain they had anti-virus software on their mobile devices to protect them. That means over 60% of consumers could be putting themselves at risk of New Year’s resolution-themed scams.
Branislav Orlik, product manager for mobile security at ESET said: “At this time of year, it is incredibly easy to be enticed into exciting offers and quick-fix solutions, while scrolling through our phones or tablets. However, smartphone users with no anti-virus software are opening themselves up to some serious threats.
“While an email deal or competition may seem enticing, clicking through on an unsafe link or entering your details online can make you vulnerable to hackers and leave your personal data at risk. It is crucial to consider how you can best protect your devices.”
To avoid falling victim to these types of scam, ESET had the following advice for users:
- Watch out for increased phishing email attacks in the form of ‘quick-fix’ deals
- If you haven’t visited a particular brand’s website before, do your homework and research reviews and comments from trusted review sites
- Be very cautious of deals you see on Facebook, Instagram and so on – even if there are lots of ‘likes’ on the post. There are plenty of scams that take advantage of easily accessible and cheap social media advertising platforms.
- Download anti-virus software for all your devices, including smartphones and tablets
The City of Los Angeles has filed a lawsuit against a popular US-based weather app, alleging it illegally sells user data to third parties.
LA city attorney, Mike Feuer, is claiming the Weather Channel app misled users in that most agreed to allow it access to their location data purely for personalized forecasts.
In reality, this data was also sold to websites for targeted ads and to hedge funds to assist with analysis of consumer behavior, according to the suit. At least a dozen websites over the past 19 months are said to have used the data to personalize advertising.
“If the cost of a weather forecast will be the sacrifice of deeply private information – like precisely where we are, day and night – it must be clear, in advance,” he argued. “But we allege TWC elevates corporate profits over users’ privacy, misleading them into allowing their movements to be tracked, 24/7. We’re acting to stop this alleged deceit.”
With an estimated 45 million monthly users, the app claims to be “the world’s most downloaded weather app” and is operated by TWC Product and Technology, but owned by IBM. It allegedly collects over one billion pieces of user location data every week.
The tech giant bought the digital assets of the Weather Company for $2bn back in 2015, although the TV channel is owned by a separate entity.
“The Weather Company has always been transparent with use of location data; the disclosures are fully appropriate, and we will defend them vigorously,” it said in a reported statement.
The lawsuit is seeking an injunction to prevent the app from allegedly “deceptively collecting and selling personal data,” and civil penalties of $2500 per violation.
A highly convincing phishing email spoofed to appear as if sent from the UK’s TV Licensing authority has accrued thousands of complaints over the past three months.
Action Fraud warned back in October that the scam email was designed to steal a user’s personal and financial details.
“They will use headlines such as ‘correct your licensing information,’ ‘billing information updates’ and ‘renew now’ to trick people into clicking on the link within the email,” it said at the time.
“When a victim clicks on the link, they will be led to a convincing looking TV Licensing website. The website is designed to harvest as much personal and financial information as possible from the victim.”
The fraud prevention organization claimed it has now received over 5000 complaints about the phishing campaign over the past three months, according to reports.
The phishing site requests users fill in full payment details including account number, sort code and CV2 number, as well as name, address, phone number and more.
Stephen Cox, chief security architect at SecureAuth, argued that although low levels of security awareness are partly to blame, organizations must also play their part in addressing the phishing epidemic.
“There is a shared onus here, between the users maintaining a level of vigilance during their online activity, companies engaging in reasonable security to protect their users and sensitive data, and the security industry as a whole to continue to raise the bar in terms of innovation and user experience,” he added.
“Locking down accounts that have been actively or potentially compromised during a phishing attack can leave users feeling frustrated, unable to access their resources, and this can have a measurable impact on the business. Companies must understand the urgent need for stronger identity security practices, allowing them to increase the trust that their users are who they say they are.”
TV Licensing has issued a quick guide for users on how to tell if an email is genuine or not.
Researchers at Trend Micro discovered spyware that had successfully disguised itself as a legitimate Android application. Initially found in a game called Flappy Birr Dog, the malware has been widely distributed, affecting users from 196 different countries.
According to research, the application was available on Google Play and had more than 100,000 recorded downloads from users worldwide. In total, the spyware was discovered in six different applications, all of which have been suspended from Google Play, though five of the apps were removed in February 2018.
The spyware, ANDROIDOS_MOBSTSPY, was reportedly stealing information that included not only user location but also SMS conversations and call logs. “It uses Firebase Cloud Messaging to send information to its server. Once the malicious application is launched, the malware will first check the device’s network availability. It then reads and parses an XML configure file from its C&C server,” researchers wrote.
In addition, the malware has phishing capabilities and displayed fake pop-ups from Facebook and Google. The pop-ups prompted the user to enter log-in information, though the attempt would fail and deliver an "unsuccessful log-in" alert, albeit too late because the credentials had already been stolen.
“Attackers are getting better and better at sneaking malware onto official app stores, which they view as the ultimate distribution channel for their criminal schemes," said Sam Bakken, senior product marketing manager, OneSpan. "And we won’t see this trend abate any time soon with the potential for fraud that opens up via mobile apps and devices. Not only do we all need to continue to educate users on mobile hygiene, banks, retailers, etc., that engage with their customers via mobile apps need to be sure their apps are secured against malware that targets their apps and users. Thankfully, technology exists that can be easily integrated into existing mobile apps that monitors those apps in real-time to take action on attacks such as these.”
Researchers identified what they are calling a first-of-its kind phishing template that uses fake fonts to exploit web font features typically used by developers to deploy a range of fonts on user devices. This new template uses fake web fonts to render well-crafted phishing pages to harvest credentials impersonating a major US bank, the research said.
Researchers listed several email addresses that were associated with the phishing kit within the PHP source codes and hard-coded as recipients of stolen credentials.
In addition, researchers explained,“when the phishing landing page renders in the browser, users are presented with a typical online banking credential phish leveraging stolen bank branding. However, the source code of the page includes unexpectedly encoded display text."
The custom web font file used in the phishing landing page, which was discovered when researchers copied the cleartext from the webpage and pasted it into a text file, causes the browser to render ciphertext as plaintext.
Researchers concluded that “threat actors continue to introduce new techniques to evade detection and hide their activities from unsuspecting victims, security vendors, and even from savvy organizations proactively searching for brand abuse. In this case, actors developed a phishing template that uses a custom web font to implement a substitution cypher, among other techniques, to render well-crafted phishing pages for credentials to a major US bank.”
Phishing attacks continue to grow more sophisticated, and even fairly simple tactics such as substitution cyber can allow threat actors to evade detection.
The Marriott breach announced on November 30, 2018, was initially suspected to have compromised the data of nearly 500 million customers, but on Friday the Starwood company updated its database security incident advisory to reflect what it now believes to be a more realistic and slightly smaller number of guests that were impacted.
After weeks of data analysis, the company was able to eliminate duplicate information and formulate a more accurate upper boundary of approximately 383 million records compromised. However, Marriott said in the amendment to its original notice that it believes far fewer than that were actually compromised.
Marriott now believes that “there were approximately 8.6 million unique payment card numbers, all of which were encrypted [and] approximately 5.25 million unique unencrypted passport numbers and approximately 20.3 million encrypted passport numbers.”
"We want to provide our customers and partners with updates based on our ongoing work to address this incident as we try to understand as much as we possibly can about what happened," Marriott CEO Arne Sorenson said in a written statement. "As we near the end of the cyber forensics and data analytics work, we will continue to work hard to address our customers' concerns and meet the standard of excellence our customers deserve and expect from Marriott.”
As the lines between the physical world and cyberspace continue to become blurred, Tom Kellermann, chief cybersecurity officer at Carbon Black, said that signals intelligence (SIGNIT) gathering and human intelligence (HUMIT) gathering is merging. “The Chinese have taken a page from the Russian cyber playbook. The Chinese can now track individuals as they travel and leverage physical and cyber assets to spy on them. This breach is the tipping point that the new Congress may use to mandate federal data breach reporting.”
While updating security incident advisories is a mandate of GDPR intended to protect privacy, the customers are not the only ones affected in a major breach. As these nation-state attacks grow more common, a gap between what investors need and what companies disclose about cyber incidents also grows, according to Jake Olcott, VP of communications and government affairs, BitSight.
“While the number of records compromised is a relevant data point, investors need to know the financial impact of an incident: What is the estimated financial impact to the brand? The litigation fees? The forensics fees? Does insurance cover these costs? The SEC and the investor community can do more to ensure that the market is receiving material information on this critical issues.”
Over 7.5 million players of online game Tower of Salem have been affected by a data breach at developer BlankMediaGames (BMG) over the Christmas holidays.
Hacked database search engine provider DeHashed explained in a blog post on Tuesday that it was approached by email last week by someone with a full trove of newly breached data.
The incident stemmed from a local file inclusion/remote file inclusion vulnerability, according to the firm.
“The data affected, includes but is not limited to: Usernames, Emails, Passwords (phpass, MD5(WordPress), MD5(phpBB3)), IP Addresses, Game & Forum Activity, & Payment Information,” it explained. “The total row count is: 8,388,894, with 7,633,234 unique email addresses.”
The firm doesn’t store payment/card information but the above info could be used to launch follow-on phishing attempts. MD5 is also theoretically crackable.
Although BlankMediaGames took a few days to respond to the incident, it apologized in an update on Wednesday, blaming the “terrible timing” of the hack.
“The BMG staff is just coming back from Christmas/New Years vacation and we were informed that there may have been a breach of our database. I am currently in contact with Rackspace to figure out what happened and prevent it from happening again,” noted an official statement on the Tower of Salem forum.
“We don't store any credit card or payment info. At all. All passwords were hashed and not plain text. This means they do not know what your password is unless they run a program to attempt to guess it against the hashed password. Any reasonably strong password will take a very long time to be guessed.”
Users would still be advised to change their passwords, especially if these credentials are reused on other sites like online banking.
BMG has “removed multiple backdoors on their server” as it looks to remediate the incident, according to DeHashed. The latter also said it had shared the database of breached information with HaveIBeenPwned.
The German political establishment is reeling after personal data and communications from hundreds of politicians including Chancellor Angela Merkel were released by hackers.
Discovered only yesterday, the information had actually been released over the past fortnight by Twitter user ‘G0d’, who claims to be based in Hamburg and whose biog indicates is a security researcher with an interest in “satire & ironie.”
The data includes a mix of personal and political party information including email addresses, mobile phone numbers, photos of identity cards, direct debit authorizations, credit card info, chats with family members, and internal party communications, according to state broadcaster RBB.
Interestingly, members of all parties in the Bundestag are represented in the leak, except for the far right AfD, which could hint at the motivation of those behind the hack.
It remains to be seen how the data was obtained, although given the range of different information exposed it’s likely to have come from multiple different sources, the report claimed.
Although reporters and investigators are still combing through the data dump, the largest ever of its kind in Germany, there don’t appear to be any politically sensitive revelations contained therein.
German security agency the BSI is currently investigating the incident, which apparently also includes data on celebrities and musicians.
This isn’t the first time German lawmakers have been on the receiving end of cyber-attacks. Russian state actors were blamed for a 2015 attack on the Bundestag network which saw sensitive data stolen.
In 2017 the German parliament was reportedly able to repel an attack which lured lawmakers to a Jerusalem Post page infected with malicious ads, while last year, the BSI investigated a possible intrusion into a government communications network.
“Releasing personal data on politicians is far more targeted than we usually tend to see. However, officials in high powered positions must be all too aware of the associated risk and consequences of a breach,” argued ESET UK cybersecurity expert, Jake Moore.
“I would suggest they take a few minutes to cancel the cards in question and add fraud protection before the hacking world takes advantage of this breach.”